Description: 

AWS Certificate Manager (ACM) service. ACM handles the complexity of creating and managing public SSL/TLS certificates for your AWS based websites and applications. ACM certificates can secure multiple domain names and multiple names within a domain. You can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains. 


Rationale: 

Logging can help you use AWS Certificate Manager (AWS Certificate Manager) more effectively.


Remediation:

Certificate Transparency Logging

To guard against SSL/TLS certificates that are issued by mistake or by a compromised CA, some browsers require that public certificates issued for your domain be recorded in a certificate transparency log. The domain name is recorded. The private key is not. Certificates that are not logged typically generate an error in the browser.


You can monitor the logs to make sure that only certificates you have authorized have been issued for your domain. You can use a service such as Certificate Search to check the logs.


Before the Amazon CA issues a publicly trusted SSL/TLS certificate for your domain, it submits the certificate to at least two certificate transparency log servers. These servers add the certificate to their public databases and return a signed certificate timestamp (SCT) to the Amazon CA. The CA then embeds the SCT in the certificate, signs the certificate, and issues it to you. 


Resources: 

https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html

https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html